CVE-2024-4084

Name of the Vulnerable Software and Affected Versions mintplex-labs/anything-llm (affected versions not specified)

Description A Server-Side Request Forgery (SSRF) vulnerability exists, allowing attackers to bypass restrictions intended to limit access to intranet IP addresses and protocols. Despite filtering out intranet IP addresses starting with 192, 172, 10, and 127, and limiting access protocols to HTTP and HTTPS, attackers can bypass these restrictions using alternative IP address representations and accessing other ports on localhost. This enables attackers to access internal network assets, attack internal web services, scan internal hosts, and potentially access AWS metadata endpoints. The issue is due to insufficient validation of user-supplied URLs.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.